Brazil’s General Data Protection Law / Lei Geral de Proteção de Dados (LGPD) – an overview

The Lei Geral de Proteção de Dados or General Data Protection Law in English (LGPD) is a legal framework to regulate the collection and use of personal data. It came into effect in Brazil on August 16, 2020. The law was passed, and will be enforced, by the Autoridade Nacional de Proteção de Dados or National Data Protection Authority (ANPD).

The LGPD is not the first or only data privacy law in South America, but it is perhaps the best publicized one from that region. The LGPD was influenced by the European Union’s General Data Protection Regulation (GDPR), and has also expanded its coverage in some areas from the GDPR’s parameters. The ANPD will also be instrumental in evolving its parameters.

The General Data Protection Law (LGPD) (in Portuguese) is a federal law in Brazil designed to unify 40 existing laws to regulate processing of the personal data of individuals. It was passed on September 18, 2020 and was backdated, coming into effect on August 16, 2020. Penalties became enforceable on August 1, 2021, and data subjects and public authorities could enforce their rights starting on Sept. 18, 2020.

The LGPD is made up of 65 articles. Articles 17-22 deal with the rights of data subjects, those whose data is collected and/or processed, so mainly individuals or natural persons. It has 10 legal bases for the processing of personal data, four more than the GDPR.

Article 2 lists the law’s fundamentals of personal data protection:

1. respect for privacy
2. informational self-determination
3. freedom of expression, information, communication and opinion
4. inviolability of intimacy, honor and image
5. economic and technological development and innovation
6. free enterprise, free competition and consumer defense
7. human rights, free development of personality, dignity and exercise of citizenship by natural persons

Per Article 3, the LGPD applies to any data processing that takes place in Brazil, for the purposes of offering goods and services or to process data, or people who are located in Brazil. The means of the processing are not relevant.

Data processing carried out by any natural person or public or private legal entity (commonly a business or organization) is covered by the LGPD. The organization doing the data processing does not have to have a physical presence in Brazil or be headquartered there. It only matters if the data subjects are located there and the processing takes place there. This extraterritoriality component is common to international privacy laws.

Article 4 outlines when the LGPD does not apply. This would be the case when the processing of personal data:

1. is performed by a natural person exclusively for private and non-economic purposes
2. is performed solely for journalistic, artistic, and/or academic purposes
3. is performed solely for the purposes of public safety, national defense, state security, or investigation and prosecution of criminal offenses
4. originates from outside of Brazil and is not the object of communication or shared with Brazilian data processing agents or the object of international transfer with another country other than the country of origin (provided the country of origin provides a reasonable degree of data protection)

Article 18 outlines the Personal Data Subject’s Rights in Relation to the Controller:

1. to confirm that their personal data is being processed
2. to access their personal data
3. to correct incomplete, incorrect or out-of-date personal data
4. to have anonymized, blocked, or deleted any unnecessary, excessive, or non-compliant personal data
5. to request that a data controller move their personal data to another service or product provider (data portability)
6. to delete their personal data (with exceptions as outlined in Article 16)
7. to be given information on public or private entities with whom, and how their personal data has been shared
8. to be given information about their rights to not give consent to process their personal data, and consequences of refusal
9. to revoke consent to process their personal data

Important definitions in the LGPD are outlined in Article 5. These are some of the most important or frequently referenced.

Personal data

Information related to (collected from or about) an identified or identifiable natural person.

Sensitive personal data

Personal data that could be used to identify an individual, and that is related to “racial or ethnic origin, religious conviction, political opinion, union affiliation. Or religious, philosophical or political organization, health or sexual life data, genetic or biometric data, when linked to a natural person.” (Broadly, personal data has the ability to inflict greater harm if misused.)

Processing

Any operation performed with personal data, such as “collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification , communication, transfer, diffusion or extraction.”

Data subject

A natural person or individual whose data is being processed.

Controller

A natural or legal person, either public or private (so can refer to a company or other organization), that makes decisions about the processing of personal data.

Operator

A natural or legal person, either public or private (so can refer to a company or other organization), that processes personal data on behalf of the controller. Referred to as the “data processor” in some other laws.

Shared use of data

The “communication, dissemination, international transfer, interconnection of personal data or shared processing of personal databases by public bodies and entities in compliance with their legal powers, or between these and private entities, reciprocally, with specific authorization, for one or more processing modalities allowed by these public entities, or between private entities”.

International transfers have been an important issue where countries lack adequacy agreements regarding data protection. Shared use is also important for companies that make their money selling data, as data subjects typically must consent before their data can be shared with or sold to third parties.

Anonymization

This process refers to “reasonable and available technical means at the time of treatment” to remove identifiable markers from data so it “loses the possibility of direct or indirect association with an individual”. It’s also common under privacy laws to require that the data cannot and will not be deanonymized, i.e. made identifiable again.

Article 5 outlines key definitions under the LGPD, and consent is defined as the “free, informed and unambiguous expression by which the data subject agrees to the processing of his personal data for a determined purpose”.

“Free, informed and unambiguous” are fundamental to definitions of valid consent in other privacy laws as well.

Article 8 outlines conditions for obtaining, re-obtaining and proving receipt of consent, as well as conditions for revocation of consent.

The LGPD uses an “opt-in” model of user consent, which means that in most cases organizations cannot collect or process data until the user ​​– an online shopper, website visitor, app user, etc. – consents to it. This requirement includes both personal data like names and email addresses, but also granular and “behind the scenes” data like that collected by website cookies.

Internationally, other laws, like the European Union’s General Data Protection Regulation (GDPR) and South Africa’s POPIA also use this consent model. In the United States, however, to date an “opt-out” model of user consent has been implemented at the state level (including California, Virginia, and Colorado). Organizations subject to these regulations do not have to obtain user consent prior to collection of data, except in some specific cases. They only have to obtain consent prior to selling the data (also with some specific exceptions).

Article 7 outlines the legal bases or circumstances under which data processing may be carried out. As noted, there are 10, four more than in the GDPR. The first listed is consent, which we have already looked at. Some other valid legal bases include the controller’s legal or regulatory obligation, performance of a contract, and protection of data subjects’ lives or safety.

The full list includes:

1. with the data subject’s consent
2. to comply with the data controller’s legal or regulatory responsibilities
3. for public administration and carrying out public policies set out in law, regulation, or in contracts
4. for research studies (anonymized where possible)
5. to carry out a contract
6. to exercise Brazilian law
7. to protect life or personal safety
8. by healthcare or sanitation professionals, to safeguard a person’s health
9. for the legitimate interest of the data controller or a third party, unless that would infringe upon the data subject’s statutory rights
10. to protect credit ratings

Legitimate interest(s) as a legal basis for data processing has been popular under other privacy laws, since it could mean less work for the controller and others — consent doesn’t have to be obtained and managed, for example. It should also be noted that the 10 legal bases for data processing under the LGPD are not listed hierarchically, and the most appropriate one should be decided based on specific circumstances. Legitimate interest shouldn’t be the first choice or last resort.

Generally, legitimate interest means use of personal data in a way that is reasonably expected (typically by the data subject), beneficial to the controller and subject, but not legally required. “Interest” is a very broad term, and can encompass anything from commercial interests to the public good.

Legitimate interest under the LGPD (Article 10) would apply under several broad conditions:

• the data processing has a clear benefit, but is not legally required
• there is little risk of the processing infringing on data subjects’ privacy
• data subjects can reasonably expect that use of their data

Organizations can’t just claim legitimate interest as their legal basis for their own convenience. The processing does need to be necessary for a defined purpose, and additional transparency is required. Use of legitimate interest requires balancing the rights of data subjects with the interests of data controllers (and possible third parties).

The concept of legitimate interest is less mature in Brazil than in the EU, so there is ongoing discussion about what constitutes legitimate interest and under what circumstances it is appropriate to be applied. There has been concern since the law was drafted about legitimate interest being “carte blanche” for data controllers.

There is a three-part test that’s considered best practice before deciding on legitimate interest as a legal basis for data processing:

1. purpose test (what is the legitimate interest)
2. necessity test (is the processing necessary for the defined purpose)
3. balancing test (what are the individual’s/data subject’s interests)

The LGPD gives the ANPD the ability to require data controllers to prepare a Data Protection Impact Assessment/Report (Article 38) when the controller’s chosen legal basis is legitimate interest. This is intended to identify and mitigate the risks to the processing. The processing may not be any riskier than that for which consent is required. But when the necessity of informing users to obtain consent is not present, the same transparency to users does not have to be in place.

There is some debate over whether a DPIA is the right mechanism in such cases, or whether a legitimate interest assessment would be better.

Key questions for organizations when any privacy law comes into effect relate to who it applies to, and what the conditions are for compliance.

Article 6 provides the LGPD’s principles governing data processing:

1. purpose: carrying out the processing for legitimate, specific, explicit and informed purposes for the data subject, with no additional processing
2. adequacy: processing is compatible with the purposes that the data subject has been informed about, according to the context of the processing activity
3. need: the processing activity is limited to the minimum necessary for the accomplishment of its purpose(s), with the comprehensiveness of the relevant data proportional to the stated purpose(s) of the processing
4. free access: data subjects are guaranteed free and easy consultation about the completeness of their personal data and the form and duration of the processing activity
5. data quality: the accuracy, clarity, relevance and updating of subjects’ data is guaranteed, according to the need and for the fulfillment of the purpose of its processing
6. transparency: data subjects are guaranteed clear, accurate and easily accessible information about the processing and the respective processing agents, as long as commercial and industrial secrets remain safeguarded
7. security: technical and administrative measures are used to protect personal data from unauthorized access, accidental or unlawful destruction, loss, alteration, communication or dissemination
8. prevention: measures are adopted to prevent damage due to the processing of personal data
9. non-discrimination: processing activity cannot be carried out for illicit or abusive discriminatory purposes
10. responsibility and accountability: effective measures are adopted to prove observance of and compliance with personal data protection rules, including the effectiveness of such measures

Overall, companies’ responsibilities are fairly standard. Ensure a clear and legal purpose for data processing is established, as well as a legal basis for doing so, before any data is collected. Only collect and process the data that is absolutely needed, and only for the stated purpose and amount of time it’s needed. The data must be collected, accessed, and stored securely. Data subjects have the right to know what data of theirs is processed, how, and by whom, and to consent to that or refuse it. They also have the right to access any data collected, ensure it’s accurate, or request its deletion. Compliance is required for data subjects located in, and data processing taking place in Brazil, regardless of where the organization doing the data processing is located.

The LGPD requires organizations to implement privacy by design, and a Data Protection Officer is key to those activities. Every data-processing controller (but not processors) must appoint a DPO, and they are responsible to ensure organizations’ obligations are met.

Article 40 addresses requirements for a Data Protection Officer. Due to an Executive Order, the DPO no longer needs to be a natural person, so could be fulfilled by a committee or group, or outsourced by the organization. The law does not provide specifications about the size of a company or nature of their business or data processing regarding the requirement to have a DPO. The ANPD may refine this over time, however.

Per Article 41, the DPO’s identity and contact information must be publicly available. They do not have to hold any particular credentials or have specific experience, though this may also change in the future, and some credentials or experience may make fulfilling their duties easier.

The DPO liaises with data subjects, receiving communications or complaints from them, and providing information to or adopting measures affecting them. They receive communications from and adopt measures for the national authority, the ANPD, as well.

The DPO ensures that the organization’s employees and relevant third parties, like contractors, are trained in data processing requirements and security measures, and maintain them. And they generally carry out other duties as required by the ANPD as well.

Data transfer requirements and responsibilities under the LGPD look similar to those under the GDPR. Article 33 outlines when data may be transferred internationally. As noted already, the LGPD is extraterritorial in scope, so if data subjects are in Brazil at the time of data processing, even if the processing takes place outside Brazil, the LGPD applies, and data transfer is considered to have taken place.

Organizations can transfer personal data outside of Brazil (e.g. for processing) under the following conditions:

1. countries or organizations that provide an adequate degree of protection of personal data acceptable to the ANPD
2. The controller offers and provides compliance guarantees with the LGPD’s principles and the rights of data subjects in mind, including with contractual clauses
3. when the transfer is necessary for international legal cooperation between public intelligence, investigative and prosecuting bodies, in accordance with international law
4. when the transfer is necessary to protect the life or physical safety of the data subject or third party
5. when the ANPD authorizes the transfer
6. when there is an international cooperative agreement enabling the transfer
7. when the transfer is necessary to execute public policy or legal attribution of the public service
8. when the data subject has given prior and informed consent to the transfer and its specific purpose(s)
9. when necessary to meet conditions of items II, V and VI of Article 7

Until the ANPD is fully operational and has reviewed many conditions of the LGPD, companies may be limited to data transfer conditions (or the use of only two recommended): specific and informed consent or the necessity of executing a transfer. There are additional transfer mechanisms under the LGPD, but those listed above are the ones relevant to companies in the course of business.

If a data breach occurs, the controller must report it to the ANPD within a “reasonable” timeframe if it is likely to or has resulted in risk or harm to data subjects. ANPD guidance from 2021 says this information must be communicated within two working days of receiving knowledge of the incident. Personal Data Security Incidents are covered under Article 48.

Notifications to the ANPD must include:

• a description of the nature of the affected personal data
• information about the data subjects involved
• information about the security measures that were in place
• risks created by the incident
• reasons for any delay in communication (if any)
• measures that have or will be adopted to address the breach and prevent a recurrence

The person or company responsible for the data must assess the incident and determine the nature, category, and number of data subjects affected.

The ANPD will verify the seriousness of incidents, and can order the controller to adopt measures to safeguard data subjects’ rights if necessary, including broad disclosure of the incident to the media, or measures to mitigate or reverse the effects of it.

The ANPD may issue special rules and exemptions for the LGPD for small businesses, startups, and similar enterprises, which would provide some flexibility for things like communication of security incidents to the ANPD and data subjects, or deadlines for responding for data subjects’ requests or those of the ANPD.

The LGPD, like many privacy laws, has special provisions for children and their data (Article 14). This is in line with provisions for children’s protection in other Brazilian law and the constitution as well. Under the LGPD a child is anyone under age 18.

Children’s data can be processed, but their best interests must be taken into consideration, and parental consent (or that of a legal representative) is required for all processing activities, prior to those activities commencing.

Controllers must provide information about the data requested in a clear and accessible manner, as well as addressing the purpose of collection and use of the data. Controllers must also make reasonable efforts, using available technologies, to verify that consent was provided by a parent or legal representative.

The conditions for parental consent for children’s data processing are the same as for adults — free, informed, unambiguous, specific, and outstanding. Children cannot be asked to provide personal information beyond what is strictly necessary when engaging with online apps, games, or other similar activities.

A partial exception to the requirement is when data collection before consent is necessary to be able to contact the parents(s) or legal representative in order to obtain consent for the child’s data process. The data can only be used once and not stored or shared with third parties without consent.

Article 15 outlines when processing of personal data should be terminated. This includes when:

• the specific purpose for the processing has been achieved, or the data is no longer needed to achieve it
• the processing period ends
• the data subject provides notice to exercise their right to revoke consent for processing
• the ANPD determines that there has been a violation of the LGPD’s provisions

Pursuant to the termination of processing, the deletion of collected personal data is covered in Article 16. Generally, personal data must be deleted after the end of processing. Exceptions to this, when the data is not deleted right away are:

• in compliance the controller’s legal or regulatory obligation
• for research study, ensuring anonymization where possible
• transfer to a third party, provided legal requirements for this are respected
• exclusive use by the controller, provided the data is anonymized, and there is no third party access

The ANPD is responsible to assess violations and penalties where noncompliance with the LGPD’s provisions has been established. These penalties can include fines of up to 2 percent of the organization’s annual revenue in Brazil, up to a maximum of 50 million Brazilian reals per violation (~€ 8-9 million or ~US $9-10 million).

The ANPD can also block access to data or further data processing, or require deletion of collected personal data. Individuals do have private right of action, which is the right to sue to seek civil damages for privacy violations.

Under Article 42, if a controller or operator commits a violation of the law (“property, moral, individual or collective damage”) regarding the protection of personal data, they are obligated to repair it. As noted earlier, individual data subjects can also sue for damages if harmed by a data-related security breach.

In case of a violation that harms data subjects, the controller is the most likely party liable for damages. However, when the operator has failed to comply with data protection obligations, or hasn’t followed the controller’s instructions, they are “jointly [with the controller] and severally liable for the damages caused by the processing”.

Brazil’s General Data Protection Law is fairly new, but it has a well-established foundation in the influence of the GDPR and Brazil’s existing laws. It’s authoritative body, the ANPD, will also have a strong role in helping the law mature and evolve.

Certainly, technology continues to evolve, and laws must evolve with them. The future of third-party cookies, international trade, child protection, and other considerations are important now and will continue to be.

Organizations will need to prioritize compliance with privacy first design, while balancing it with revenue goals and building customer relationships. The risks of noncompliance are substantial, and most companies cannot afford penalties in the millions of reals.

Fortunately there are tools like consent management platforms to help companies navigate LGPD requirements and communicate them to users.

If you have questions about how the LGPD affects your business, or about consent management for websites and apps, we’re happy to help. Contact one of our experts!